SECRET sharing schemes were first introduced by Blakley

1 The Optimal Linear Secret Sharing Scheme for Any Given Access Structure Tang Chunming, Gao Shuhong, and Zhang Chengli Abstract—Any linear code can...
Author: Mae Hubbard
3 downloads 2 Views 120KB Size
1

The Optimal Linear Secret Sharing Scheme for Any Given Access Structure Tang Chunming, Gao Shuhong, and Zhang Chengli

Abstract—Any linear code can be used to construct a linear secret sharing scheme. In this paper, it is shown how to decide optimal linear codes (i.e., with the biggest information rate) realizing a given access structure over finite fields. It amounts to solving a system of quadratic equations constructed from the given access structure and the corresponding adversary structure. The system becomes a linear system for binary codes. An algorithm is also given for finding the adversary structure for any given access structure. Index Terms—Cryptography, secret sharing, linear code, access structure, adversary structure.

I. I NTRODUCTION ECRET sharing schemes were first introduced by Blakley [4] and Shamir [22] in 1979. Since then, many constructions have been proposed. The relationship between Shamir’s secret sharing scheme and Reed-Solomon codes was pointed out by McEliece and Sarwate in 1981 [18]. Later several authors have considered construction of secret sharing schemes using linear error correcting codes. Massey utilized linear codes for secret sharing schemes and pointed out the relationship between the access structure and the minimal codewords of the dual code of the underlying codes [15], [16]. Several authors have investigated minimal codewords for several classes of codes and characterized their access structures [1], [2], [3], [10], [11], [21], [23]. Unfortunately, determining minimal codewords is an NP-hard problem for general linear codes. As pointed out by Massey [17], the main problem is to characterize which access structures can be realized by linear codes. We call this the access structure problem. In [14], Karchmer and Widgerson gave a significant result that there exists a linear code for any access structure among n participants, however, there still exist the following problems: 1) whether does there exist an ideal linear code realizing given access structure? how to construct it if it exists? A linear code is ideal if the length of code is equal to n + 1, where n is the number of participants. 2) how to gain the optimal linear code realizing given access structure if there is not ideal linear code? A linear code is optimal if the length of code is the shortest among all linear codes which realize the given access structure. Obviously, the length of optimal linear code is bigger than n + 1. Our Contributions.

S

Tang Chunming is with the Department of Mathematics and Information Science, Guangzhou University, Guangzhou, 510006 China e-mail: [email protected]

1) An access structure uniquely determines an adversary structure and vice versa. We first give an algorithm for finding the adversary structure R corresponding to a given access structure Γ. 2) We show that finding linear codes for an access structure Γ is equivalent to solving a system of quadratic polynomial equations which is constructed from Γ and R. The given access structure Γ is realizable by a linear code over Fq if and only if the system has a solution over Fq . When the underlying field is F2 , the system becomes a linear system, so can be solved in polynomial time (in terms of the sizes of Γ and R). 3) We show how to reduce the number variables that are used in the polynomial equations, hence speeding up any algorithm for solving the polynomial system. This seems to be the first algorithmic approach for the access structure problem. 4) We propose an algorithm to construct the optimal linear code realizing a given access structure if the ideal linear code does not exist. Related Works. The secret sharing schemes we consider in this paper are ideal and perfect. A secret sharing scheme is called ideal if the size of each share is equal to the size of the secret, and called perfect if every subset of shares can either reconstruct the secret or get no partial information at all on the secret, that is, if a subset of the participants can deduce any partial information on the secret then they can completely reconstruct the secret. The span program proposed by Karchmer and Widgerson [14] is a secret sharing scheme that can be perfect but not ideal. In their paper, an access structure corresponds to a monotone Boolean function. They show how to compute monotone functions via matrices over finite fields (which correspond to generating matrices for linear codes). They pointed out that it is easy to realize any access structure via non ideal secret sharing schemes. Further results in this direction can be found in [5], [8], [9], [12], [13], [24], [25]. Outline of the Paper. The paper is organized as follows. In Section II, we recall the relationships between secret sharing schemes and linear codes. In Section III, we consider the existence of linear codes over a finite field Fq for a given access structure and present an efficient algorithm for finding the adversary structure for any given access structure. In Section IV, we give improvements on results in Section III, especially on what reducing the number of constraints needed from R. In Section V, an algorithm to find optimal linear code is proposed.

2

II. S ECRET S HARING S CHEMES AND L INEAR C ODES A linear code C of length n + 1 over Fq is simply a linear subspace of Fn+1 . If C has dimension k, then C is generated q by the rows of a k × (n + 1) matrix G = (g0 , g1 , · · · , gn ) of rank k, which is called a generating matrix of C. There are several ways to use linear codes to construct secret sharing schemes [15], [21]. We focus mainly on secret sharing schemes that are perfect and ideal. Suppose a secret s is to be shared among n participants, identified as 1, ..., n. We assume that the secret s can be viewed as an element in a finite field Fq . Let C be a linear code of length n + 1 over Fq with dimension k. To compute the shares of s, a dealer D chooses a random codeword t = (t0 , t1 , ..., tn ) ∈ C such that t0 = s. Then ti is the share for the participant i, 1 ≤ i ≤ n. More concretely, this can done as follows. Suppose G = (g0 , g1 , · · · , gn ) is a generating matrix for C where each gi is a column vector of length k. Choose a random vector u = (u0 , ..., uk−1 ) ∈ Fkq such that s = ug0 . There are altogether q k−1 such vectors u ∈ Fkq . The dealer D computes the corresponding codeword t = (t0 , t1 , ..., tn ) = uG, then securely sends ti to participant i as a share for i = 1, 2, ..., n. The dual code C ⊥ of C is defined as |Gct = 0}, C ⊥ = {c ∈ Fn+1 q that is, a vector c ∈ Fn+1 is in C ⊥ iff c is orthogonal to all q codewords in C. If c = (c0 , c1 , ..., cn ) ∈ C ⊥ with c0 ̸= 0 then, for any codeword (s, t1 , . . . , tn ) ∈ C, we have s=

n ∑ i=1



ci ti . c0

A subset S ⊆ [1, n] is called an access or accepted set of C if there is c ∈ C ⊥ such that c0 = 1 and supp(c) ⊆ S ∪ {0}, where supp(c) = {i ∈ [0, n]|ci ̸= 0}, called the support of c. If S is an accepted set then any set containing S is also accepted. An access set S is called minimal if no proper subset of it is an access set. Let Γ(C) denote the set of all minimal access sets in C. Then a subset S is an access set of C iff S contains one of the sets on Γ(C). A subset S is called a rejected set of C if it is not an access set. If S is a rejected set then its any subset is also rejected. A rejected subset S is called maximal if every subset proper containing S is an access set. Let R(C) denote the set of all maximal rejected sets of C. Note that, given a code C, we do not know any efficient algorithm to find Γ(C), as the problem of finding vectors of minimum Hamming weight in an arbitrary linear code is NPhard. In the next section, we shall show how to find R(C) from Γ(C), and give necessary and sufficient conditions for an access structure to be realizable by linear codes. Before we proceeds to the next section, we briefly mention more general secret sharing schemes constructed from linear codes. Suppose the secret is a vector (s1 , . . . , sℓ ) of ℓ elements from a finite field Fq , and it is to be shared by n participants 1, . . . , n. Let m ≥ n. We use a linear code C of length m + ℓ over Fq to get a secret sharing scheme as follows. Partition the set [1, m] = {1, 2, . . . , m} as [1, m] = T1 ∪ T2 ∪ · · · ∪ Tn . Suppose C has a generator matrix of the form

(1)

Let Sc = {i|1 ≤ i ≤ n, and ci ̸= 0}. Then the equation (1) implies that the secret s can be reconstructed from the shares ti , i ∈ Sc . Now suppose S is any subset of [1, n] = {1, . . . , n}. The following lemma tells us when the participants in S can reconstruct the secret. Lemma 1. Let (s, t1 , . . . , tn ) ∈ C be a random codeword where C is generated by a matrix G = (g0 , g1 , · · · , gn ). Then, for any subset S of [1, n], (a) if g0 is a linear combination of gi , i ∈ S, then the participants in S can reconstruct the secret s by a linear function as in (1) for some c ∈ C ⊥ ; and (b) if g0 is not a linear combination of gi , i ∈ S, then the participants in S can not compute any information on s. Part (a) is straightforward. Part (b) needs some clarifications. When (s, t1 , . . . , tn ) is a random codeword in C, the values s, t1 , . . . , tn can be viewed as random variables. Then it is straightforward to show that the conditional Shannon entropy H(s|ti , i ∈ S) = 0 in part (b). Hence the values ti , i ∈ S do not contain any information on s. This means that there is no function (linear or nonlinear) nor algorithm to compute s from the shares ti , i ∈ S.

G = (u1 , . . . , uℓ , g1 , . . . , gm ), where the column vectors u1 , . . . , uℓ are linearly independent over Fq . To share a secret (s1 , . . . , sℓ ), a dealer picks a random codeword c = (u1 , . . . , uℓ , t1 , . . . , tm ) ∈ C such that (u1 , . . . , uℓ ) = (s1 , . . . , sℓ ). The share for the participant i (1 ≤ i ≤ n) is the sequence tj , j ∈ Ti . When ℓ = 1, this secret sharing scheme is equivalent to the span program of Karchmer and Widgerson [14], which is perfect but not ideal. It is easy to show that an arbitrary access structure can be realized by choosing a large m and a proper partition of [1, m]. So the access structure problem for this class of secret sharing schemes is trivial. However, finding the smallest m to realize a given assess structure is still wide open, which corresponds to the shortest program to compute a monotone Boolean function. When ℓ > 1, the above secret sharing scheme is not perfect any more, that is, it is possible that a subset of the participants can compute some partial information on the secret (s1 , . . . , sℓ ), but can not completely determine the secret. These schemes are studied by I Cascudo and H Chen et al in [6], [7], and by W. Ogata and K Kurosawa in [19], [20].

3

III. L INEAR C ODES FOR G IVEN ACCESS S TRUCTURES Let Γ = {S1 , ..., Sm } be any collection of subsets of [1, n]. Without loss of generality, we assume that no subset in Γ contains another subset in Γ. Then Γ defines an access structure for which a subset S of [1, n] is accepted iff S contains a subset in Γ. Our goal in this section is characterizing, for a given access structure Γ, when there is a linear code C over Fq such that Γ = Γ(C). A subset T of [1, n] is called rejected if it does not contain any subset in Γ. The collection of all rejected sets is called the adversary structure of Γ. Let R denote the collection of all maximal rejected sets of Γ. Example 1. Assume an access structure Γ = {(1, 2, 3), (3, 4, 5), (3, 5, 6)} in a secret sharing scheme with participants {1, 2, 3, 4, 5, 6}. Then its adversary structure is R = {(1, 2, 4, 5, 6), (1, 3, 4, 6), (2, 3, 4, 6), (1, 3, 5), (2, 3, 5)}. A. Finding Adversary Structures from Access Structures Suppose we are given an access structure: Γ = {S1 , ..., Sm }, where Si ⊂ [1, n] for 1 ≤ i ≤ matrix:  h11 h12  h21 h22 Γ=  hm1 hm2

m. Γ can be denoted by a  . . . h1n . . . h2n    ... . . . hmn

h ( ji1)k ̸= 0, hj1 l = 0 and hj2 k = 0, hj2 l ̸= 0. Certainly, s ≤ m . Also, for any subset B ⊆ [1, m], let HB denote the submatrix H consisting of the rows indexed by elements in B. We say a subset T ⊆ [1, n] overlays a subset B ⊆ [1, m] if, for each i ∈ B, there exists j ∈ T such that hij ̸= 0. Lemma 2. Let B ⊆ [1, m] with |B| = t. If T1 ⊆ Ai , |T1 | > Cit−1 , and any two elements in T1 are in different groups in Ai , then T1 must( overlay B. ) i Proof: There exist at most t−1 different groups in Ai in t−1 rows of HB , hence, T1 must overlay B.  Note that if A ∪ A′ = [1, n] and A ∩ A′ = ∅, then A = A′ . We have the following simple lemma. Lemma 3. Let B ⊆ [1, m]. Then T ⊆ [1, n] overlays B if and only if T does not contain any Si ∈ Γ with i ∈ B. Theorem 1. A subset T ⊆ [1, n] is a maximal rejected set of Γ iff [1, m] is overlayed by T but not by any proper subset. Proof: For any k ∈ T , T ∪ {k} contains at least a Si ∈ Γ. That is, T is a rejected set, but T ∪ {k} is not a rejected set for any k ∈ T , i.e., k ∈ / T , hence T is a maximal rejected set according to the definition of maximal rejected set. On the other hand, if S ∈ R, then S must overlay [1, m] from Lemma 3. Now, assume there exists a proper subset S ′ ⊂ S such that S ′ overlaps [1, m], then S ′ is a rejected set. However, S ⊂ S ′ is contrary to the assumption that S is a maximal rejected set. That is, if S is a maximal rejected set, then it must be generated by a set T which overlays [1, m], however, [1, m] is not overlayed by any proper subset of T . According to this theorem, we provide an algorithm to generate adversary structure R of Γ.

Algorithm: Finding R from Γ. 1) Initially R is empty. Define Ai ’s from Γ as above. 2) If Am ̸= ∅, then add {i} to R for each i ∈ Am .  3) For i from m − 1 down to 1, if Am−i ̸= ∅, find all h1 subsets h2  , ···  T1 ⊆ Am−i , T2 ⊆ A1 ∪ · · · ∪ Am−i−1 , hm such that [1, m] is overlayed by T1 ∪T2 not by any proper (2) subset of T1 ∪ T2 , and |T1 | ≥ 1. For each of them, add where 1 is an all-one column vector. T ∪ T 1 2 to R. We shall assume in the rest of the paper that each participant 4) Return R. i ∈ [1, n] is in some subset in Γ, so H has no all-zero column. This algorithm may still have exponential running time Compared with matrix Γ, the matrix H is only added a column called the 0th column, and other columns of H are called when n is large. We hope to improve it to polynomial time the 1st,... nth column. The i-th column of H corresponds to in terms of the sizes of Γ and R. Note that it is possible that the size of R itself may be exponentially larger than that of participant i for i = 1, 2, ..., n. Let zj denote the jth column of H, 1 ≤ j ≤ n. For each Γ. So there is no algorithm that is polynomial in the size of R alone. 1 ≤ i ≤ m, define where hij ̸= 0 if j ∈ Si , else hij = 0 for 1 ≤ i ≤ 1 ≤ j ≤ n. Also, we define a m × (n + 1) matrix H with following form:    1 h11 h12 . . . h1n ( )  1 h21 h22 . . . h2n   = H= 1 Γ =    ... 1 hm1 hm2 . . . hmn

m, the

Ai = {1 ≤ j ≤ n| |supp(zj )| = i}, where|S| denotes the number elements in a set S. Each Ai can be partitioned as Ai = Ai1 ∪ · · · ∪ Ais , where k, l ∈ Ai are in one group iff the kth and lth column of H have the same support. This implies that if k, l are in different groups, there exist j1 , j2 ∈ {1, 2, ..., m} such that

B. Finding Linear Codes for Given Access Structures In this section, we propose a method to decide when an access structure Γ can be realized by linear codes, that is, whether there is a linear code C over Fq such that Γ = Γ(C). We need another characterization of rejected sets. Lemma 4. Let C ⊆ Fn+1 be any linear code. Then a subset q T ⊆ [1, n] is a rejected set of C iff there is a codeword c = (c0 , c1 , . . . , cn ) ∈ C such that c0 = 1 and ci = 0 for

4

all i ∈ T . Proof: Let G = (g0 , g1 , · · · , gn ) be any generator matrix for C. Suppose G has k rows (which need not be linearly independent). First assume that T is a rejected set of C. By definition, this means that g0 is not a linear combination of the vectors gi , i ∈ T . By linear algebra, there is a vector v = (v1 , . . . , vk ) ∈ Fkq such that vg0 = 1,

vgi = 0, for all i ∈ T.

Hence the codeword c = vG ∈ C has the required the property. Conversely, suppose C contains such a codeword c ∈ C. Then c = vG for some vector v = (v1 , . . . , vk ) ∈ Fkq . T must be a rejected set, since if T were an accepted set then g0 would be a linear combination of the vectors gi , i ∈ T . Since ci = vgi = 0 for all i ∈ T , we would have c0 = vg0 = 0, a contradiction.  This lemma immediately gives us a method for finding linear codes to realize a given access structure Γ = {S1 , S2 , . . . , Sm }. Let H be defined as above where hij ̸= 0 were treated as unknowns for all j ∈ Si . Suppose we have found the corresponding adversary structure of Γ:

According to Theorem 1, R = {(1, 2, 4, 5, 6), (1, 3, 4, 6), (2, 3, 4, 6), (1, 3, 5), (2, 3, 5)}. Let 

h11 0 0

h12 0 0

h13 h23 h33

0 h24 0

0 h25 h35

 0 0 , h36

1 0 1 0 1 g31 1 0 1 g51

0 g22 0 g42 0

g13 0 0 0 0

0 0 0 g44 g54

0 g25 g35 0 0

0 0 0 g46 g56

1 H= 1 1    G=  



1  1 G=  ··· 1

g11 g21 ··· gℓ1

g12 g22 ··· gℓ2

··· ··· ··· ···

 g1n g2n  , ···  gℓn

                                                  

(3)

where gij = 0 if j ∈ Ri and gij is an unknown for all j ̸∈ Ri . Theorem 2 There is a linear code for a given access structure Γ = {S1 , ..., Sm } if and only if the following system of quadratic equations GH⊤ = 0,

  ,  

where hij ∈ F∗q for 1 ≤ i ≤ 3, 1 ≤ j ≤ 6, and gij ∈ Fq for 1 ≤ i ≤ 5, 1 ≤ j ≤ 6. According to Theorem 2, we need to solve the following system of equations:

R = {R1 , R2 , . . . , Rℓ }. Define



1 + h13 g13 1 + h12 g22 1 + h11 g31 1 + h12 g42 1 + h11 g51 1 + h23 g13 1 + h25 g25 1 + h25 g35 1 + h24 g44 1 + h24 g54 1 + h33 g13 1 + h35 g25 1 + h35 g35 1 + h36 g46 1 + h36 g56

=0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0

(5)

(4)

has a solution for hij , j ∈ Si , and gij , j ̸∈ Ri , over Fq with hij ̸= 0 for j ∈ Si . Proof: Assume there exists a linear code C so that Γ(C) = Γ. Then all the minimal codewords with the first component 1 in C ⊥ are just h1 , ..., hm , and for each Ri ∈ R, there is no codeword h ∈ C ⊥ such that h0 = 1 and supp(h) \ {0} ⊆ Ri . According to Lemma 4, Ri ∈ R if and only if if there exists a codeword gi ∈ C such that gi0 = 1 and gij = 0 if j ∈ Ri . Obviously, ⟨gi , hj ⟩ = 0 for 1 ≤ i ≤ ℓ and 1 ≤ j ≤ m. Hence the system (4) has a required solution over Fq . Now, assume G and H is a solution to (4). Let C be the row span of G. Obviously, h1 , ..., hm ∈ C ⊥ , hence S1 , ..., Sm ∈ Γ(C). Also, the ith row of G implies that Ri ∈ R(C) for 1 ≤ i ≤ ℓ. Therefore, C has no other minimal accepted sets, so is a linear code so that Γ(C) = Γ.  C. Some Examples Example 2. Find a linear code over F7q for Γ = {(1, 2, 3), (3, 4, 5), (3, 5, 6)}.

It is straightforward to find a general solution: h13 = h23 = −1 h33 , h25 = h35 , g31 = g51 = −h−1 11 , g22 = g42 = −h12 , −1 −1 g44 = g54 = −h24 , g25 = g35 = −h25 , g46 = g56 = −h−1 36 , 7 g13 = −h−1 13 . Hence there is a linear code C in Fq for the access structure Γ.  Example 3. Find a linear code C in F5q for Γ = {(1, 2), (2, 3), (3, 4)}. According to Theorem 1, R = {(1, 3), (1, 4), (2, 4)}. Let 

1 h11 H= 1 0 1 0 

1 G= 1 1

0 0 g31

h12 h22 0

0 h23 h33

 0 0 , h34

g12 g22 0

0 g23 g33

 g14 0 , 0

where hij ∈ Fq∗ for 1 ≤ i ≤ 3, 1 ≤ j ≤ 4, and gij ∈ Fq for 1 ≤ i ≤ 3, 1 ≤ j ≤ 4.

5

According to Theorem 2, we obtain the following equations:  1 + h12 g12 = 0     1 + h12 g22 = 0     1 + h11 g31 = 0      1 + h22 g12 = 0 1 + h22 g22 + h23 g23 = 0 (6)   1 + h g = 0  23 33    1 + h34 g14 = 0     1 + h33 g23 = 0    1 + h33 g33 = 0 It is again straightforward to check that this system has no solution over Fq for all q. Hence there is no a linear code C in F5q for the access structure Γ.  For the next example, one can imagine that there are two companies A and B. The administrators of company A are players 1, 2, 3 and administrators of company B are players 4, 5, 6. They plan to start a joint venture project. The project can be executed only if majority of the administrators of each company agree. Hence the following model could be useful for this situation. Generally, sets A and B may have more elements. Example 4. Let

h53 g53 = 0, 1+h61 g51 +h63 g53 = 0, 1+h72 g42 +h73 g43 = 0, 1+h82 g42 +h83 g43 = 0, 1+h92 g42 +h93 g43 = 0, 1+h14 g34 + h15 g35 = 0, 1+h44 g34 +h45 g35 = 0, 1+h74 g34 +h75 g35 = 0, 1+h24 g24 +h26 g26 = 0, 1+h54 g24 +h56 g26 = 0, 1+h84 g24 + h86 g26 = 0, 1+h35 g15 +h36 g16 = 0, 1+h65 g15 +h66 g16 = 0, 1 + h95 g15 + h96 g16 = 0. When q = 2, the polynomial system (4) becomes a linear system for G, as the nonzero entries of H must all be 1. Hence the system can be solved by Gauss elimination. Therefore, given an access structure Γ, if the adversary structure R is found, then one decide in polynomial time (in terms of the sizes of Γ and R) where there is a linear code over F2 to realize Γ. IV. I MPROVEMENT ON A DVERSARY S TRUCTURE

Since C ⊥ is the row span space of H. We consider the following definition. Definition 1[7] A subset R ⊆ [1, n] is called a real rejected set of C if there is no y ∈ C ⊥ such that y0 = 1 and supp(y)\ {0} ⊆ R. A real rejected set R is called a maximal real rejected set if any set R′ with R ⊂ R′ can recover the secret. According to this above definition, it is obvious that some subsets Ri1 , ..., Rit in R are rejected sets because it is Γ = {(1, 2, 4, 5), (1, 2, 4, 6), (1, 2, 5, 6), (1, 3, 4, 5), (1, 3, 4, 6),impossible for each Rij (j = 1, 2, ..., t) that there is a codeword c ∈ C ⊥ such that supp(c) \ {0} ⊆ Rij . Hence, (1, 3, 5, 6), (2, 3, 4, 5), (2, 3, 4, 6), (2, 3, 5, 6)}. we only consider a smaller adversary structure called as real Then adversary structure R(C) in which each element R maybe satisfy that there is a codeword c ∈ C ⊥ such that c0 = 1 and R = {(1, 2, 3, 4), (1, 2, 3, 5), (1, 2, 3, 6), (1, 4, 5, 6), (2, 4, 5, 6), supp(c) \ {0} ⊆ R. (3, 4, 5, 6)}. In this section, we will proposed an algorithm to find R(C). Let

       H=           G=   

1 1 1 1 1 1 1 1 1

h11 h21 h31 h41 h51 h61 0 0 0

h12 h22 h32 0 0 0 h72 h82 h92

0 0 0 h43 h53 h63 h73 h83 h93

h14 h24 0 h44 h54 0 h74 h84 0

h15 0 h35 h45 0 h65 h75 0 h95

0 h26 h36 0 h56 h66 0 h86 h96

1 0 1 0 1 0 1 0 1 g51 1 g61

0 0 0 g42 0 g62

0 0 0 g43 g53 0

0 g24 g34 0 0 0

g15 0 g35 0 0 0

g16 g26 0 0 0 0

       ,           ,   

where hij ∈ F∗q for 1 ≤ i ≤ 9, 1 ≤ j ≤ 6, and gij ∈ Fq for 1 ≤ i ≤ 6, 1 ≤ j ≤ 6. The general solution is of the form in Fq : h11 = h21 = −1 −1 h31 = g51 , h12 = h22 = h32 = g42 , h41 = h51 = h61 = −1 −1 −1 g61 , h43 = h53 = h63 = g43 , h72 = h82 = h92 = g62 , −1 −1 h73 = h83 = h93 = g53 , h14 = h44 = h74 = g24 , h15 = −1 −1 h45 = h75 = g15 , h24 = h54 = h84 = g34 , h26 = h56 = −1 −1 −1 h86 = g16 , h35 = h65 = h95 = g35 , h36 = h66 = h96 = g26 where 1 + h11 g61 + h12 g62 = 0, 1 + h21 g61 + h22 g62 = 0, 1+h31 g61 +h32 g62 = 0, 1+h41 g51 +h43 g53 = 0, 1+h51 g51 +

A. Definition of Real Adversary Structure Since C ⊥ is the row span space of H, any vector y ∈ C ⊥ is of the form: m m m ∑ ∑ ∑ y = (y0 , y1 , ..., yn ) = ( ki , ki hi1 , ..., ki hin ) (7) i=1

i=1

i=1

Let B = {i1 , i2 , ..., it } ⊆ [1, m] and 2 ≤ t ≤ m. We use HB denotes a sub-matrix of H which is composed of all rows of H indexed by B, that is,     1 hi 1 1 hi 1 2 . . . hi 1 n hi1  1 hi2 1 hi2 2 . . . hi2 n   hi2  =  HB =     . . .  . (8) ... 1 hi t 1 hi t 2 . . . h i t n hit Definition 2. (Possible Vector of HB ). We call a row vector ∑ ∑ ∑ y = (y0 , y1 , ..., yn ) = ( ki , ki hi1 , ..., ki hin ) i∈B

i∈B

i∈B

Fq∗

as a possible vector of HB where ki ∈ for i ∈ B. Definition 3. (Candidate Accepted Vector of HB ). We call a possible vector y = (1, y1 , ..., yn ) of HB as candidate accepted vector of HB if y does not cover any one of vectors hi1 , ..., hit . Definition 4. (Maximal Candidate Accepted Vector of HB ). A candidate accepted vector y = (1, y1 , ..., yn ) of HB is called maximal candidate accepted vector of HB if for each i with

6

yi = 0, and there are at least two non-zero entries in the ith column of ∪ HB , then there is j ∈ B such that supp(hj ) ⊆ supp(y) {i}. Let VM B be the set of all maximal candidate accepted vectors of HB . Definition 5. ((Maximal) Candidate Accepted Set). A set Sy is called as candidate accepted set if y is a candidate accepted vector. A candidate accepted set Sy is called as maximal candidate accepted set if y is a maximal candidate accepted vector. Let RM B = {Sc |c ∈ VM B }. ′ Definition 6. For any B ⊆ [1, m] with |B| ≥ 2, let RM B consist of elements in RM B that do not contain any one of S1 , ..., Sm . Let ′ R(C) = ∪B⊆[1,m],|B|≥2 RM B.

R(C) is called as real adversary structure of Γ from C ⊥ . Example 5. Assume access structure Γ = {(1, 2, 3), (3, 4, 5), (3, 5, 6)} in a secret sharing scheme with participants {1, 2, 3, 4, 5, 6}. Hence H is of the form   1 a1 a2 a3 0 0 0 H =  1 0 0 b1 b2 b3 0  . (9) 1 0 0 c1 0 c2 c3 According to Definition 6, R(C) = {(1, 2, 4, 5, 6), (3, 4, 6)}. Comparing with Example 1, |R(C)| ≤ |R|. B. Construction of Real Adversary Structure Definition 7.A matrix M is called decomposable if there is a row and column permutation transforming M into the following form: ( ) M1 0 M= 0 M2 where each Mi (i = 1, 2) has at least one non-zero row and 0 denotes a all-0 matrix. Otherwise M is called indecomposable. By permuting rows and columns, H can be transformed into the following form:   1 Γ1 0 . . . 0  1 0 Γ2 . . . 0  , H= (10)   ... 1 0 0 . . . Γt where each Γi are indecomposable sub-matrixes for 1 ≤ i ≤ t. Definition 8.Define E ⊕F = {Z|Z = X ∪Y, X ∈ E, Y ∈ F }, where E and F are any two collects of sets. Theorem 3. Suppose   Γ1 0 . . . 0  0 Γ2 . . . 0  , Γ= (11)   ... 0 0 . . . Γt and every Γi (1 ≤ i ≤ t) is indecomposable. If T , T1 , ..., Tt are real adversary structure of access structure Γ, Γ1 , ..., Γt respectively, then T = T1 ⊕ T2 ⊕ · · · ⊕ Tt .

Proof: Let Γi be only related with the i1 -th, ..., isi -th columns of Γ for 1 ≤ i ≤ t, where s1 + s2 + ... + st = n. Assume any S ∈ T1 ⊕T2 ⊕· · ·⊕Tt , that is, S = S1 ∪S2 ∪· · ·∪ St and each Si ∈ Ti for i = 1, 2, ..., t. Obviously, S ⊂ [1, n] is a candidate accepted set because it is independent between any Si and Sj . At the same time, S must be a maximal candidate accepted set, otherwise, then there exists at least a j ∈ S such that S ∪ {j} is a candidate accepted set, hence j is related with some Γi , that is, there exists some Si such that Si ∪ {j} is a candidate accepted set which is contrary to this case that Si is a maximal candidate accepted set. So S ∈ T . Assume any S ∈ T , then S can be divided into S = S1 ∪ S2 ∪ · · · ∪ St , where Si ⊆ {i1 , ..., isi }. Because all participants in S cannot reconstruct the secret, hence all participants in each Si can not also do it. If some Si is only a candidate accepted set, but not in Ti , i.e., it is not a maximal candidate accepted set, however, other Sj ∈ Tj , j ̸= i. For set {i1 , ..., isi }, there must exist a subset S ′ ⊂ {i1 , ..., isi } such that S ′ ∪ Si ∈ Ti , hence S1 ∪ · · · ∪ S ′ ∪ Si ∪ · · · ∪ St also is a maximal candidate accepted sets, it is contrary to S = S1 ∪ S2 ∪ · · · ∪ St ∈ T . So, each Si ∈ Ti , for i = 1, 2, ..., t. That is, if any S ∈ T , then S ∈ T1 ⊕ T2 ⊕ · · · ⊕ Tt .  Hence, it is reduced to construct real adversary structure of indecomposable matrix Γi when we try to find real adversary structure of Γ. Let Ai = {j|1 ≤ j ≤ n, |supp(z ∑m j )| = i}, where zj is the jth column of HB . Obviously, i=0 |Ai | = n. Lemma 5. For any HB , if l ∈ A1 , the participant Pl must belong to every element in generating adversary structure of HB . Proof: Assume y = (1, y1 , ..., yn ) is a possible vector of HB , then ∑t the lth component of y can be ∗computed from yl = j=1 kj hij l . Because k1 , ..., kt ∈ Fq , and only one of hi1 l , ..., hit l does not equal 0, hence yl ̸= 0.  Theorem 4. If B is overlayed by T1 ∪T2 , but not by any proper subset of T1 ∪ T2 , then T1 ∪ T2 ∈ TB , where T1 ∩ A1 = ∅ and T2 ∩ A1 = ∅. Every element in TB can be obtained by this way. Proof: For any k ∈ T1 ∪ T2 and k ∈ / A0 , T1 ∪ T2 \ {k} does not overlay B, T1 ∪ T2 ∪ {k} contains at least one Sj ∈ Γ where j ∈ B. That is, T1 ∪ T2 is a candidate accepted set, but T1 ∪ T2 ∪ {k} is not a candidate accepted set for any k ∈ T1 ∪ T2 , i.e., k ∈ / T1 ∪ T2 , hence T1 ∪ T2 is in TB according to the definition of maximal candidate accepted set. T1 ∩ A1 = ∅ and T2 ∩ A1 = ∅ hold from Lemma 5. On the other hand, if S ∈ TB , then S must overlay B from Lemma 3. Now, assume there exists a proper subset S ′ ⊂ S such that S ′ overlays B, then S ′ is a generating candidate set of HB . However, S ⊂ S ′ is contrary to this case S is a maximal candidate accepted set. That is, if S is a maximal rejected set of HB , then it must be generated by a set T which overlays B, however, B is not overlayed by any proper subset of T .  Now, we will provide an algorithm to generate R(C) for any access structure Γ. Assume access structure Γ is decomposable and is composed of Γ1 , ..., Γt , where each Γi is indecomposable for

7

( i = 1, ..., t. Algorithm: Finding R(C) from Γ. 1) Construct real adversary structure Ti for Γi . a) Assume that Hi = (1 Γi ) is an mi ×(ni +1) matrix, for simplicity we denote its rows and columns by using symbols {r1 , r2 , ..., rmi } and {0, l1 , ..., lni } respectively, where ∑t column 0 denotes ∑t the first column of Hi , i=1 mi = m and i=1 ni = n. HiB is a sub-matrix of Hi which is composed of all rows of Hi indexed by B which is a subset of {r1 , r2 , ..., rmi } and 2 ≤ t(= |B|) ≤ mi . b) The following algorithm will generate TiB of HiB (initially TiB is empty. Assume Aj = {lk |k ∈ {1, ..., ni }, |supp(sk )| = j} where column vector sk is the kth column of HiB . i) If At ̸= ∅, then add {l1 , ..., lni } \ {j} to TiB for each j ∈ At . ii) Assume At−j ̸= ∅. If j = 1, ..., t − 3 and T1 ⊆ At−j , T2 ⊆ A2 ∪...∪At−j−1 , add {l1 , ..., lni }\ T1 ∪ T2 to TiB , or if j = t − 2 and T1 ⊆ A2 , T2 ⊆ A2 , then add {l1 , ..., lni } \ T1 ∪ T2 to TiB , where B is overlayed by T1 ∪ T2 but not by any proper subset of T1 ∪ T2 , and |T1 | ≥ 1. c) Construct Ti . Assume TiB = Ti′B ∪ D, where any b ∈ Ti′B must not include any set Sy where y is any one row vector of Hi , then Ti = ∪B⊆[1,mi ] T |B|≥2



iB .

2) Construct R(C) for Γ. According to Theorem 3, R(C) = T1 ⊕ ... ⊕ Tt . This algorithm may still have exponential running time when n is large. However, we will find adversary structure R(C) with smaller size if there exist only one non-zero element in some columns of H. Especially, the size of R(C) will be smaller if these columns with only one non-zero elements of H are more. Let     1 g11 g12 · · · g1n g1  1 g21 g22 · · · g2n   g2     G1 =   · · · · · · · · · · · · · · ·  =  · · ·  , (12) 1 gl1 gl2 · · · gln gl where gij = 0 if j ∈ Ri and R(C) = {R1 , R2 , ..., Rl }. Corollary 1. There is a linear code for a given access structure Γ = {S1 , ..., Sm } if and only if the following system of quadratic equations G1 H⊤ = 0, (13) has a solution for hij , j ∈ Si , and gij , j ̸∈ Ri , over Fq with hij ̸= 0 for j ∈ Si . Example 6. (Continued Example 2) Answer: According to Theorem 4, R(C) = {(1, 2, 4, 5, 6), (3, 4, 6)}. Let   1 h11 h12 h13 0 0 0 0 h23 h24 h25 0 , H= 1 0 1 0 0 h33 0 h35 h36

G1 =

1 1

0 g21

0 g22

g13 0

0 0

0 g25

0 0

) ,

where hij ∈ Fq∗ for 1 ≤ i ≤ 3, 1 ≤ j ≤ 6, and gij ∈ Fq for 1 ≤ i ≤ 2, 1 ≤ j ≤ 6. According to Corollary 1, we obtain the following equations.  1 + h13 g13 = 0     1 + h11 g21 + h12 g22 = 0    1 + h23 g13 = 0 (14) 1 + h25 g25 = 0      1 + h33 g13 = 0   1 + h35 g25 = 0 Obviously, Equations 14 has solutions in any finite field Fq . Since |R(C)| ≤ |R|, the matrix G1 determined by R(C) is much less than the matrix G determined by R. Hence, it is easier to resolve equation 12 than to resolve equation 4. V. T HE O PTIMAL L INEAR C ODE In Section III, we solve this problem that how to construct an ideal linear code realizing given access structure Γ if it exists, however, how can we gain the optimal linear code realizing given access structure if there does not exist an ideal linear code? In this section, we will propose an algorithm to find the optimal linear code realizing given access structure. A. An Algorithm to Find the Optimal Linear Code For given access structure Γ, how can we obtain the optimal linear code if there does not exist an ideal linear code realizing it? that is, how can we obtain the optimal linear code realizing Γ if there is no solution for quadratic equations (4)? In an ideal linear code, each participant in Γ ”owns” an only component of a code, hence he ”owns” an only corresponding column of generator matrix G and check matrix H. In the optimal linear code, each participant in Γ ”owns” some components of a code, as a result, he ”owns” some corresponding columns of G and H. However, the generator matrix G and check matrix H of the optimal linear code realizing Γ still satisfies quadratic equations (4), hence,we can obtain the following algorithm which can find the optimal linear code realizing Γ. Algorithm: The optimal linear code realizing Γ. 1) Adding to a column in matrixes G and H respectively, we obtain two matrixes G1 and H1 with n + 2 columns. We emphasis that the new column is the ith column of G1 and H1 respectively, furthermore, the ith column has same forms with the (i + 1)th column in G1 and H1 respectively for every i = 2, 3, ..., n. Two columns have same forms if their elements satisfies restrictions in Theorem 2. There exists a linear code with length n + 2 realizing Γ if the system of quadratic equations G1 HT1 = 0 has a solution. There is an output which is a linear code realizing Γ. 2) If there does not exist solution of G1 HT1 = 0, two columns are added up in matrixes G and H which are changed into two matrixes G2 and H2 with length n + 3

8

respectively. New two columns have same forms with two columns or one column of G and H respectively. There exists a linear code with length n + 3 realizing Γ if the system of quadratic equations G2 HT2 = 0 has a solution. There is an output which is a linear code realizing Γ. 3) Suppose there does not exist solution of Gi HTi = 0, where matrixes Gi and Hi are obtained by being added up i columns from matrixes G and H respectively. i + 1 columns are added up in matrixes G and H which are changed into two matrixes Gi+1 and Hi+1 with n+i+2 columns respectively. New i + 1 columns have same forms with i+1 columns, or i columns, ..., or one column of G and H respectively. There exists a linear code with length n + i + 2 realizing Γ if the system of quadratic equations Gi+1 HTi+1 = 0 has a solution. There is an output which is a linear code realizing Γ. 4) repeating the step 3, and obtaining a linear code realizing Γ until the system of quadratic equations Gi+1 HTi+1 = 0 has a solution for some i. Remarks: in order to obtain the optimal linear code, 1) in step 2, let new two columns have same forms with two columns of G and H respectively, then new two columns have same forms with one column of G and H respectively if there is not a linear code when two columns have forms of two columns. 2) In step 3, let new i + 1 columns first have forms of i + 1 columns, then forms of i columns if there is not a linear code for forms of i + 1 columns, then forms of i − 1 columns if there is not a linear code for forms of i columns ,..., then same forms if there is not a linear code for forms of 2 columns. 3) In step 3, if new i + 1 columns have forms of j columns 1 in G (or H), its information rate is belongs to { 12 , 13 , · · · , i+2 }, where 1 ≤ j ≤ i + 1. So, we first consider the linear code 1 with information rate 12 , then 13 , · · · , finally i+2 . Theorem 5. Given access structure Γ, the optimal linear code realizing it must can be found from the above algorithm. Proof: According to [14], the above algorithm must have outputs which is a linear code realizing Γ. Next, we will prove this linear code is the optimal linear code realizing Γ. Case 1: If there is an output in step 1, then this output must be the optimal linear code realizing Γ because there is not ideal linear code realizing Γ and our linear code has the shortest length n+2. The information rate of the optimal linear code is 21 . Case 2: The linear code with length n + 3 in step 2 is the shortest among all linear codes realizing Γ because there is not linear code with length n + 1 and n + 2 which can realize Γ. We can obtain the optimal linear code according to remark 1, and its information rate is 12 or 13 , Case 3: The linear code with length n + i + 2 in step 3 is the shortest among all linear codes realizing Γ because there is not linear code with length j = n+1, n+2, ..., n+i+1 which can realize Γ. We can obtain the optimal linear code realizing Γ according to remark 2 and remark 3, and its information 1 } rate is belongs to { 21 , 13 , · · · , i+2

B. An Example In this section, we show an example to explain our algorithms. According to Example 3, there is not an ideal linear code realizing Γ = {(1, 2), (2, 3), (3, 4)} in F5q . Now, we will find its optimal linear code according to our algorithm in section 5.1. According to step 1 of our algorithms in section 5.1, we can obtain (H1 , G1 ) with the following forms:   1 h′11 h11 h12 0 0 0 h22 h23 0 , (a) H1 =  1 0 1 0 0 0 h33 h34 

1 0  1 0 G1 = ′ 1 g31 

(b)

1 H1 =  1 1

h11 0 0



1 0 G1 =  1 0 1 g31 

(c)

1 h11 H1 =  1 0 1 0 

1 0 G1 =  1 0 1 g31 

(d)

1 h11 H1 =  1 0 1 0 

1 0 G1 =  1 0 1 g31

0 0 g31

g12 g22 0

h′12 h′22 0 ′ g12 ′ g22 0

g12 g22 0

0 g23 g33

 0 0 , h34

 g14 0 ; 0

0 0 h′34

′ g14 0 0

 0 0 , h34

 g14 0 ; 0

0 h23 h33

0 g23 g33

0 h23 h33

 g14 0 ; 0

0 h23 h33

0 g23 g33

0 h′23 h′33

0 ′ g23 ′ g33

h12 h22 0 g12 g22 0

h12 h22 0

g12 g22 0

h12 h22 0

0 g23 g33

 0 0 , h34

 g14 0 . 0

where hij , h′ij ∈ Fq∗ for 1 ≤ i ≤ 3, 1 ≤ j ≤ 4, and ′ gij , gij ∈ Fq for 1 ≤ i ≤ 3, 1 ≤ j ≤ 4. According to Theorem 2, we obtain the following equation systems (a’), (b’), (c’) and (d’) for (a), (b), (c) and (d) respectively:  1 + g12 h12 = 0     1 + g12 h22 = 0     1 + g14 h34 = 0     1 + g22 h12 = 0  ′ 1 + g22 h22 + g23 h23 = 0 (a )   1 + g23 h33 = 0    ′  1 + g31 h11 + g31 h′11 = 0     1 + g33 h23 = 0    1 + g33 h33 = 0

9

(b′ )

                                        

′ 1 + g12 h12 + g12 h′12 = 0 ′ 1 + g12 h22 + g12 h′22 = 0 1 + g14 h34 = 0 ′ 1 + g22 h12 + g22 h′12 = 0 ′ 1 + g22 h22 + g22 h′22 + g23 h23 = 0 1 + g23 h33 = 0 1 + g31 h11 = 0 1 + g33 h23 = 0 1 + g33 h33 = 0

1 + g12 h12 = 0 1 + g12 h22 = 0 1 + g14 h34 = 0 1 + g22 h12 = 0 ′ 1 + g22 h22 + g23 h23 + g23 h′23 = 0 (c′ )  ′ ′  1 + g23 h33 + g23 h33 = 0     1 + g31 h11 = 0    ′  1 + g33 h23 + g33 h′23 = 0    ′ 1 + g33 h33 + g33 h′33 = 0    1 + g12 h12 = 0   1 + g12 h22 = 0    ′  1 + g14 h34 + g14 h′34 = 0      1 + g22 h12 = 0 1 + g22 h22 + g23 h23 = 0 (d′ )   1 + g23 h33 = 0     1 + g31 h11 = 0     1 + g33 h23 = 0    1 + g33 h33 = 0 There exist solution for systems (b’),(c’)over Fq , and no solution for systems (a’),(d’) over Fq , hence there is the optimal linear code with length 6 in F6q for the access structure Γ. VI. C ONCLUSION In this paper, we consider existence of ideal linear code for given access structure Γ, and give a method to construct the optimal linear code realizing Γ if there is not an ideal linear code realizing Γ. This is the best work so far in this field. R EFERENCES [1] A. Ashikhmin, A. Barg, Minimal vectors in linear codes, IEEE Trans. Inf. Theory 44(5) 1998, pp. 2010-2017. [2] A. Ashikhmin, A. Barg, G. Cohen, and L. Huguet, Variations on minimal codewords in linear codes. Proc. AAECC, 1995, pp.96-105 [3] R.J. Anderson, C. Ding, T. Helleseth, and T. Klove, How to build robust shared control systems. Design, Codes and Cryptography, 15 (1998), pp. 111-124 [4] G.R. Blakley. Safeguarding cryptographic keys. Proc. NCC AFIPS, 1979, pp.313-317 [5] H. Chen and R. Cramer. Algebraic Geometric Secret Sharing Schemes and Secure Multi-Party Computation over Small Fields. Advances in Crypto 2006, 516-531, 2006 [6] I. Cascudo, H. Chen, R. Cramer and C. Xing. Asymptotically Good Ideal Linear Secret Sharing with Strong Multiplication Over Any Fixed Finite Field. Advances in Cryptology -CRYPTO 2009, pp. 466-486, 2009 20. [7] H. Chen, R. Cramer, S. Goldwasser, R. de Haan and V. Vaikuntanathan. Secure Computation from Random Error Correcting Codes. EuroCrypto 2007, LNCS 4515, pp. 291-310, 2007 [8] R. Cramer, I. Damgard, R. de Haan. Atomic Secure Multiplication with Low Communication. Advances in Eurocrypt 2007, 291-310, 2007 [9] R. Cramer, I. Damgard, U. Maurer. Efficient General Secure MultiParty Computation from any Linear Secret-Sharing Scheme. Advances in EURCRYPTO 2000, 316-334, 2000

[10] C. Ding and A. Salomaa. Secret Sharing Schemes with Nice Access Structure. Fundamenta Informaticae. Vol 731-251-63 2006 [11] C. Ding and J Yuan. Covering and Secret Sharing with Linear Codes. DMTCS 2003, 11-25, 2003 [12] S. Goldwasser. Multi-party computations: Past and present. In proceddings of the 16th Annual ACM Symposium on Principles of Distributed Computing, 1997, 1-6 [13] M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing any access structure. Proc. IEEE Globecom 87. (1987) 99-102. [14] M. Karchmer and A. Wigderson. On Span Programes. Proc. 8-th Annual Structure in Complexity Theory Conference, IEEE Computer Society Press, pp. 102-111, 1993. [15] J.L. Massey. Minimal codewords and secret sharing, Proc. 6th Joint Swedish-Russian Workshop on Information Theory, August 22-27, 1993, pp. 276-279 [16] J.L. Massey. Some applications of coding theory in cryptography, Codes and Ciphers: Cryptography and Coding IV, 1995, pp.33-47 [17] J.L. Massey. Three Coding Problems. Report in Trondhjemsgade 3, 2TH DK-2100 Copenhagen, Denmark, 2009 [18] R.J. McEliece and D.V. Sarwate. On sharing secrets and Reed-Solomon codes, Comm. ACM 24 (1981), pp. 583-584. [19] W. Ogata and K. Kurosawa. Some new results on nonperfect secret sharing schemes. Technical report of IEICE, Vol 95(423), pp. 45-52, 1995 [20] W. Ogata, K. Kurosawa and S. Tsujii. Nonperfect secret sharing schemes. Advances in Cryptology- AUSCRYPT’92, pp. 56-66, 1993 [21] A. Renvall and C. Ding. The access structure of some secret sharing schemes. Information Security and Privacy, Lecture Notes in Computer Science, Vol. 1172, pp. 67-78, 1996. [22] A. Shamir. How to share a secret, Comm. ACM 22 (1979), pp 612-613. [23] J. Yuan and C. Ding, Secret sharing schemes from two-weight codes. The Bose Centenary Symposium on Discrete Mathematics and Applications, Dec 2002. [24] J. Xu and X Zha. Secret Sharing Schemes with General Access Structure Based on MSPs. Journal of Communications. Vol 2, No 1, 2007. [25] M. Liu and Z Zhang. Secret Sharing Schemes and Secure Multiparty Computation (Chinese). Publishing House of Electronics Industry. 2008

Suggest Documents